In a conversation with NYU Cyber Scholar Emily Poole ’18, Monaco touched on a range of critical cybersecurity issues: the evolution of the threat, the nation states that merit the most concern, the role of the private sector, and what the federal government can do to address cybercrime.

In her White House role, Monaco took part in President Obama’s first meeting of each day, going over the day’s top threats and other critical national security issues. Monaco, whom Obama had nicknamed “Dr. Doom,” recounted that at this meeting, “the president would turn to me and say, ‘What’s on your plate?’ The issue that I raised with him the most over time was the cyber threat.”

Today, there are more and different types of actors in cybercrime, including nation states, criminals, and “hactivists” who are promoting a political agenda, according to Monaco. Beyond perpetrating identity theft or denial of service attacks, they are holding data hostage through ransomware, and attacks by nation states have even caused physical effects. Monaco pointed to the 2012 attack on Saudi Aramco, one of the world’s largest oil companies, which crippled 35,000 computers and forced the organization offline for months. Among nation states, said the cybersecurity expert, Russia is the most sophisticated and increasingly aggressive actor, while China presents the highest volume of threats; Iran and North Korea are also concerns for the US.

One key issue: Fundamental norms still need to be defined. “Unlike in the physical realm, where we have a Geneva convention about how to protect civilians in a time of war, we don’t have a digital Geneva convention where we protect civilians from cyber [attacks] in a time of peace,” said Monaco, referencing a proposal from Microsoft president Brad Smith.

Among the US, UK, Canada, New Zealand, and Australia, there is basic agreement that attacking a country’s critical infrastructure during peacetime, with physical impacts resulting in loss of life, constitutes unacceptable behavior. Short of that, however, the international community has no agreement. Some progress was made in 2015, according to Monaco, when Obama threatened China with sanctions in response to state-sponsored cyberespionage carried out against American companies. The move pressured Chinese President Xi Jinping to accept a diplomatic resolution: the two countries agreed to a set of norms forbidding state-sponsored cyber espionage for economic gain. This norm was adopted by the G20 later that year.

Monaco stressed that in order to effectively fight cyber threats, the relationship between government and the private sector must improve. Private companies, which are often the victim of cybersecurity breaches, are in the best position to understand the attacks. On the other hand, the government should also act as a convener on this issue to encourage the development of cybersecurity standards, rather than mandate a specific approach.

“We need to move to an orientation of ‘secure by design,’” said Monaco. “If we do not change our orientation and drive the private sector to be thinking that way, we are just compounding the problem, and we’re adding billions of these devices to be connected to the grid, and it is creating an ever expanding ‘attack surface.’”